1 / 11

Web server security

Web server security. Dr Jim Briggs. What do we mean by secure?. 100% security Trading off security versus convenience Particular vulnerabilities of the Internet The "wild west". Open to the outside world Aim to attract strangers! Left unattended (largely) Lots of potential security holes

bette
Télécharger la présentation

Web server security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web server security Dr Jim Briggs WEBP security

  2. What do we mean by secure? • 100% security • Trading off security versus convenience • Particular vulnerabilities of the Internet • The "wild west" WEBP security

  3. Open to the outside world Aim to attract strangers! Left unattended (largely) Lots of potential security holes Running other people's buggy software Running own buggy software (even worse!) Large amount of code (often) Visitors are largely anonymous and can be very remote Communication can be eavesdropped (unless encrypted) Difficult (impossible?) to test exhaustively Vulnerability of web systems WEBP security

  4. Server risks • Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to: • Steal confidential documents not intended for their eyes. • Execute commands on the server host machine, allowing them to modify the system. • Gain information about the Web server's host machine that will allow them to break into the system. • Launch denial-of-service attacks, rendering the machine temporarily unusable. WEBP security

  5. Client risks • Browser-side risks, including: • Active content (e.g. Java, JavaScript, ActiveX) that • crashes the browser • damages the user's system • breaches the user's privacy, or • merely creates an annoyance • The misuse of personal information knowingly or unknowingly provided by the end-user • passwords • credit card numbers • other sensitive data WEBP security

  6. Network risks • Interception of network data sent from browser to server or vice versa via network eavesdropping. • Eavesdroppers can operate from any point on the pathway between browser and server including: • The network on the browser's side of the connection • The network on the server's side of the connection (including intranets). • The end-user's Internet service provider (ISP) • The server's ISP • Either ISPs' regional access provider WEBP security

  7. General security techniques • Keep your software up to date with security patches • Try not to use unsafe techniques (e.g. CGI, SSI) • If you have to use them, test them thoroughly • Include own use of hacker tools • Design and implement an access control policy (both via the web and to the host server) • Log everything; monitor the logs; and investigate suspicious activity WEBP security

  8. Specific server side issues • Back door access to the server • Remote/local login • FTP • Alternative web sites hosted on same machine • Don't run the server as "root" • Turn off un-needed … • features in software • IP ports • Firewalls WEBP security

  9. Denial of service (DoS) attacks • Definition: • attack designed to render a computer or network incapable of providing normal services • Typical attacks • Bandwidth attacks • flood network with high volume of traffic • consequence – all available network resources are consumed and legitimate user requests can not get through • Connectivity attacks • flood computer with high volume of connection requests • consequence – all available operating system resources are consumed, and computer can not process legitimate requests WEBP security

  10. Distributed DoS (DDoS) attacks • Many hosts simultaneously attack target • Typically caused by agent hijacking vulnerable hosts (e.g. via virus) • As important to protect your machine from hijack as it is to protect it from attack • Techniques: • Scan regularly for DDoS tools • Do egress filtering (check for spoofed packets) WEBP security

  11. HTTP security • Authentication • Basic • Digest • Secure transport • SSL WEBP security

More Related